Internet-Draft | HIC | April 2023 |
Li, et al. | Expires 25 October 2023 | [Page] |
This document describes the interactions between various IP controllers in a hierarchical fashion to provide various IP services. It describes how the Abstraction and Control of Traffic Engineered Networks (ACTN) framework is applied to the Hierarchy of IP controllers (HIC) as well as document the interactions with other protocols like BGP, Path Computation Element Communication Protocol (PCEP), and other YANG-based protocols to provide end to end dynamic services spanning multiple domains and controllers (e.g. Layer 3 Virtual Private Network (L3VPN), Seamless MPLS etc).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Software-Defined Networking (SDN) refers to a separation between the control elements and the forwarding components so that software running in a centralized system called a controller, can act to program the devices in the network to behave in specific ways. A required element in an SDN architecture is a component that plans how the network resources will be used and how the devices will be programmed. It is possible to view this component as performing specific computations to place flows within the network given knowledge of the availability of network resources, how other forwarding devices are programmed, and the way that other flows are routed. The Application-Based Network Operation (ABNO) [RFC7491] describes how various components and technologies fit together.¶
A domain [RFC4655] is any collection of network elements within a common sphere of address management or path computation responsibility. Specifically, within this document, it means a part of an operator's network that is under common management. Network elements will often be grouped into domains based on technology types, vendor profiles, and geographic proximity and under a domain controller.¶
Multiple such domains in the network are interconnected, and a path is established through a series of connected domains to form an end-to-end path over which various services are offered. Each domain is under the control of the domain controller (or lower-level controller), and a "super controller" (or high-level controller) takes responsibility for a high-level view of the network before distributing tasks to domain controllers (or lower-level controllers). It is possible for each of the domain to use a different tunnelling mechanism (eg RSVP-TE, Segment Routing (SR) etc).¶
[RFC8453] describes the framework for Abstraction and Control of Traffic Engineered Networks (ACTN) as well as a set of management and control functions used to operate multiple TE networks. This documents would apply the ACTN principles to the Hierarchy of IP controllers (HIC) and focus on the applicability and interactions with other protocols and technologies (specific to IP packet domains).¶
Sometimes, service (such as Layer 3 Virtual Private Network (L3VPN), Layer 2 Virtual Private Network (L2VPN), Ethernet VPN (EVPN), Seamless MPLS) require sites attached to different domains (under the control of different domain controller) to be interconnected as part of the VPN service. This requires multi-domain coordination between domain controllers to compute and set-up an E2E path for the VPN service.¶
This document describes the interactions between various IP controllers in a hierarchical fashion to provide various IP services. It describes how the Abstraction and Control of Traffic Engineered Networks (ACTN) framework is applied to the Hierarchy of IP controllers (HIC) as well as document the interactions with control plane protocols (like BGP, Path Computation Element Communication Protocol (PCEP)) and management plane aspects (YANG models) to provide end to end dynamic services spanning multiple domains and controllers (e.g. L3VPN, Seamless MPLS, etc.).¶
Figure 1 show examples of multi-domain IP domains under the hierarchy of IP controllers.¶
The IP "Super Controller" receives a request from the network/service orchestrator to set-up dynamic services spanning multiple domains. The IP "Super Controller" breaks down and assigns tasks to the domain controllers, responsible for communicating to network devices in the domain. It further coordinates between the controller to provide a unified view of the multi-domain network.¶
As per [RFC8453], ACTN has following the main functions -¶
These functions are part of Multi-Domain Service Coordinator (MDSC) and/or Provisioning Network Controller (PNC). Further, these functions are part of the controller/orchestrator.¶
The HIC is an instantiation of the ACTN framework for the IP packet network. The IP domain (lower-level) controllers implement the PNC functionalities for configuring, controlling, and monitoring the IP domain. The "super controller" (high-level controller) implements the MDSC functionalities for coordination between multiple domains as well as maintaining an abstracted view of multiple domains. It also takes care of the service-related functionalities of the customer-mapping/translation and virtual service coordination.¶
The ACTN functions are part of the IP controllers and responsible for the TE topology and E2E path computation/set-up. There are other functions along with ACTN that are needed to manage multiple IP domain networks.¶
The interaction between super controller and the domain controllers in HIC is a combination of Control Plane and Management Plane interface as shown in Figure 2. BGP [RFC4271] and PCEP [RFC5440] are example of the control plane interface; whereas NETCONF [RFC6241] and RESTCONF [RFC8040] are examples of the management plane interface.¶
Note that ACTN's MDSC-PNC Interface (MPI) could be implemented via management plane interface using YANG models [I-D.ietf-teas-actn-yang] or via PCEP control plane interface [RFC8637].¶
The Domain Controller is expected to be aware of the topology of the network devices in its domain. The domain controller could participate in the IGP ([RFC3630] and [RFC5305]) or use BGP-LS [I-D.ietf-idr-rfc7752bis] by which link-state and TE information is collected and shared with the domain controller using the BGP routing protocol.¶
An alternate approach would be to rely on the management plane interface which uses the YANG model for network/TE Topology as per [RFC8345] and [RFC8795].¶
The domain controller is expected to share the domain topology to the Super Controller, as per ACTN (where PNC abstract the topology towards MDSC). A level of abstraction is usually applied while presenting the topology to a higher-level controller. Topology abstraction is described in [RFC7926] as well as [RFC8453]. BGP-LS, PCEP-LS [I-D.dhodylee-pce-pcep-ls] or management plane interface based on the abstracted network/TE Topology could be used to carry the abstract topology to the super-controller. At minimum, the border nodes and inter-domain links are exposed to the super-controller.¶
Further [RFC8453] defines three types of topology abstraction - (1) Native/White Topology; (2) Black Topology; and (3) Grey Topology. Based on the local policy, the domain controller would share the domain topology to the Super Controller based on the abstraction type. Note that any of the control plane or management plane mechanism could be used to carry abstracted domain topology. The Super Controller's MDSC function is expected to manage a E2E topology by coordinating the abstracted domain topology received from the domain controllers.¶
The Domain Controller is responsible for computing and setup of path when the source and destination are in the same domain, otherwise the Super Controller coordinates the multi-domain path computation and setup with the help of the domain controller. This is aligned to ACTN.¶
PCEP [RFC5440] provides mechanisms for Path Computation Elements (PCEs) [RFC4655] to perform path computations in response to Path Computation Clients (PCCs) requests. Since then, the role and function of the PCE has grown to allow delegated control [RFC8231] and PCE-initiated use of network resources [RFC8281].¶
Further, [RFC6805] and [RFC8751] describes a hierarchy of PCE with Parent PCE coordinating multi-domain path computation function between Child PCE(s). This fits well with HIC as described in this document.¶
Note that a management plane interface which uses the YANG model for path computation/setup ([I-D.ietf-teas-yang-path-computation] and [I-D.ietf-teas-yang-te]) could be used in place of PCEP.¶
In case there is a need to stitch per domain tunnels into an E2E tunnel, mechanism are described in [I-D.ietf-pce-stateful-interdomain].¶
[RFC4456] describes the concept of route-reflection where a "route reflector" (RR) reflects the routes to avoid full mesh connection between Internal BGP (IBGP) peers. The IP domain controller can play the role of RR in its domain. The super controller can further act as RR to towards the domain controller.¶
BGP can provide routing policies for traffic management, like route preference, AS-path filter policy, IP-prefix filter policy and route aggregation. The controller can distribute these BGP policies into the routers in a single IP domain. For the scenario of multiple domains, the super controller can distribute per BGP Policy into each IP domain controller. Then the IP domain controller trickles down the BGP Policy to the network devices.¶
[RFC8955] describes the concept of BGP Flowspec that can be used to distribute traffic flow specifications. A flow specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic. The controller can originate the flow specifications and disseminate it to the routers. The flow action includes the redirection to a specific TE tunnel. Also, the IP domain controller could be responsible for collecting the flow sample in its domain and the super controller can act as the Flow Analysis Server.¶
[RFC7854] describes the BGP Monitoring Protocol (BMP) to monitor BGP sessions. BMP is used to obtain route views with a flexible way. In the fashion of hierarchical architecture, the IP domain controller can be used as the domain Monitoring Station. Meanwhile, the super controller is responsible for a high-level view of the global network state.¶
Seamless MPLS [I-D.ietf-mpls-seamless-mpls] describes an architecture which can be used to extend MPLS networks to integrate access and core/aggregation networks into a single MPLS domain.In the seamless MPLS for mobile backhaul, since there are multiple domains including the core network and multiple mobile backhaul networks, for each domain there is a domain controller. In order to implement the end-to-end network service provision, there should be coordination among multiple domain controllers.¶
Super Controller is responsible for setting the seamless MPLS service. It should break down the service model to network configuration model [RFC8309] and the domain controller further break it to the device configuration model to the PE/ASBR to make the E2E seamless MPLS service. The selection of appropriate ASBRs and handling of intra-domain tunnels is coordinated by the Super Controller in a similar fashion as shown in Section 4.2.¶
By enabling BGP sessions between Domain Controller and Super Controller, BGP labeled routes can also be learned at Super Controller. As Super Controller is aware of the (abstract) topology, it could make intelligent decisions regarding E2E BGP LSP to optimize based on the overall traffic information.¶
A Layer 3 IP VPN service is a collection of sites that are authorized to exchange traffic between each other over a shared IP infrastructure. [RFC4110] provides a framework for Layer 3 Provider-Provisioned Virtual Private Networks (PPVPNs). [RFC8299] provides a L3VPN service delivery YANG model for PE-based VPNs. The Super controller is expected to implement the L3SM model and translate it to network models towards the domain controller, which in turn translate it to the device model. See [RFC8309] for more details.¶
Based on the user data in the L3SM model, the network configurations need to be trickle down to the network device to set up the L3VPN.¶
[RFC9182] describes the need for a YANG model for use between the entity that interacts directly with the customer (service orchestrator) and the entity in charge of network orchestration and control which, according to [RFC8309], can be referred to as Service Delivery Model. The resulting model is called the L3VPN Network Model (L3NM).¶
Based on the QoS or Policy requirement for the L3VPN service, the Super Controller may -¶
Refer [I-D.ietf-teas-te-service-mapping-yang] for more details from ACTN perspective.¶
Apart from the Management plane interface based on respective YANG models, the control plane interface PCEP could be used for path computation and setup.¶
There are two fundamentally different kinds of Layer 2 VPN service that a service provider could offer to a customer: Virtual Private Wire Service (VPWS) and Virtual Private LAN Service (VPLS) [RFC4664]. A VPWS is a VPN service that supplies an L2 point-to-point service. A VPLS is an L2 service that emulates LAN service across a Wide Area Network (WAN). A BGP MPLS-based Ethernet VPN (EVPN) [RFC7432] addresses some of the limitations when it comes to multihoming and redundancy, multicast optimization, provisioning simplicity, flow-based load balancing, and multipathing, etc.¶
The handling of L2VPN/EVPN service is done in a similar fashion as shown in Section 4.2.¶
This sections list some of the possible features or protocol extensions that could be worked on to deploy HIC in a multi-domain packet network.¶
[Editor's Note - This list is expected to be updated in the next version with more details]¶
The Path Computation Element communication Protocol (PCEP) [RFC5440] provides mechanisms for Path Computation Elements (PCEs) [RFC4655] to perform path computations in response to Path Computation Clients (PCCs) requests.¶
The ability to compute shortest constrained TE LSPs in Multiprotocol Label Switching (MPLS) and Generalized MPLS (GMPLS) networks across multiple domains have been identified as a key motivation for PCE development.¶
A stateful PCE [RFC8231] is capable of considering, for the purposes of path computation, not only the network state in terms of links and nodes (referred to as the Traffic Engineering Database or TED) but also the status of active services (previously computed paths, and currently reserved resources, stored in the Label Switched Paths Database (LSPDB).¶
[RFC8051] describes general considerations for a stateful PCE deployment and examines its applicability and benefits, as well as its challenges and limitations through a number of use cases.¶
[RFC8231] describes a set of extensions to PCEP to provide stateful control. A stateful PCE has access to not only the information carried by the network's Interior Gateway Protocol (IGP), but also the set of active paths and their reserved resources for its computations. The additional state allows the PCE to compute constrained paths while considering individual LSPs and their interactions. [RFC8281] describes the setup, maintenance and teardown of PCE-initiated LSPs under the stateful PCE model.¶
[RFC8231] also describes the active stateful PCE. The active PCE functionality allows a PCE to reroute an existing LSP or make changes to the attributes of an existing LSP, or a PCC to delegate control of specific LSPs to a new PCE.¶
Computing paths across large multi-domain environments require special computational components and cooperation between entities in different domains capable of complex path computation. The PCE provides an architecture and a set of functional components to address this problem space. A PCE may be used to compute end-to-end paths across multi-domain environments using a per-domain path computation technique [RFC5152]. The Backward recursive PCE based path computation (BRPC) mechanism [RFC5441] defines a PCE-based path computation procedure to compute inter-domain constrained MPLS and GMPLS TE networks. However, both per-domain and BRPC techniques assume that the sequence of domains to be crossed from source to destination is known, either fixed by the network operator or obtained by other means.¶
[RFC6805] describes a Hierarchical PCE (H-PCE) architecture which can be used for computing end-to-end paths for inter-domain MPLS Traffic Engineering (TE) and GMPLS Label Switched Paths (LSPs) when the domain sequence is not known. Within the Hierarchical PCE (H-PCE) architecture, the Parent PCE (P-PCE) is used to compute a multi-domain path based on the domain connectivity information. A Child PCE (C-PCE) may be responsible for a single domain or multiple domains, it is used to compute the intra-domain path based on its domain topology information.¶
[RFC8751] state the considerations for stateful PCE(s) in hierarchical PCE architecture. In particular, the behaviour changes and additions to the existing stateful PCE mechanisms (including PCE- initiated LSP set-up and active PCE usage) in the context of networks using the H-PCE architecture.¶
[RFC8637] examines the applicability of PCE/PCEP to the ACTN framework in detail.¶
[RFC8283] introduces the architecture for PCE as a central controller as an extension of the architecture described in [RFC4655] and assumes the continued use of PCEP as the protocol used between PCE and PCC. Some related extension to PCEP [RFC9168] and [RFC9050] are also applicable in HIC.¶
[I-D.ietf-idr-rfc7752bis] describes a mechanism by which link-state and TE information can be collected from networks and shared with external components using the BGP routing protocol. This is achieved using a new BGP Network Layer Reachability Information (NLRI) encoding format and a new BGP path attribute (BGP-LS attribute) that carries link, node, and prefix parameters and attributes.¶
BGP-LS is another approach to collect network topology information. It is an extension to BGP for distribution of the network's link-state (LS) topology to external entities, such as the SDN controller. Network's link-state topology consists of nodes and links and a set of attributes. The link-state topology is distributed among the IGP domain. The specific protocol used in an IGP domain could be OSPF [RFC2238] or IS-IS [ISO10589]. Note that, the detailed link-state models of these two protocols are not identical. Therefore, BGP-LS can provide a more abstract topology model that can map the IGP models.¶
The domain controller acts as a consumer to collect the domain's link-state and TE information via BGP-LS. The domain controller would usually abstract the domain information towards the super-controller and further send it via BGP-LS.¶
BGP-Flowspec is a solution devised for preventing distributed Denial-of-service (DDoS) attack. BGP-Flowspec distributes specification rules into neighbours. [RFC8955] defines a new BGP NLRI encoding format that can be used to distribute traffic flow specifications. Additionally, it defines two applications of that encoding format: one that can be used to automate inter-domain coordination of traffic filtering, such as what is required in order to mitigate DDoS attacks; and a second application to provide traffic filtering in the context of BGP/MPLS VPN service.¶
The IP domain controller can act as the traffic sampling node. The super controller can act as the traffic analysis server. When the super controller finds the attack happened, the super controller should distribute the flow rules to associated IP domain controllers. And each IP domain controller should distribute the flow rules into the ingress routers. Additionally one of the actions taken could be "redirect" where flow could be redirected to the TE tunnels created by the controller.¶
[I-D.luo-grow-bgp-controller-based-ts] describes the traffic steering based on BGP controller. The traditional method for traffic steering depends on the static configuration which is time-consuming and inefficient. With the hierarchical IP controller, the IP domain controller can have the domain network topology view and routing information while the super controller can have the global network topology view and routing information. The super controller can compute the end-to-end paths to satisfy the differentiated service requirement. The IP domain controller may be used to distribute the routing policy into the routers. BGP policy varies in many aspects. Its goal is to meet the customer application and connectivity requirement, and specific service transport needs. So the super BGP controller is responsible for the coordination of multiple domain BGP Policy. And then distribute Policy to the related IP domain controller. The IP domain controller is responsible for distributing the policy to its network nodes.¶
[I-D.ietf-idr-rtc-hierarchical-rr] describes the route target (RT) constrain mechanism in the hierarchical route reflection (RR) scenario. [RFC4684] describes the route-target constrain mechanism to build a route distribution graph in order to restrict the propagation of Virtual Private Network (VPN) routes. [I-D.ietf-idr-rtc-hierarchical-rr] proposes a solution to address the RT constrain issue in the hierarchical RR scenarios. The super controller corresponding to higher level RR can receive the RT-constrain routes from the lower level RR, which is acted by the IP domain controller. The higher level RR will select one of the received routes as the best route. then it should advertise the best route to all the lower level RR to build the route distribution graph. This fits well with the HIC as described in this document.¶
This is a non-exhaustive list of possible YANG models developed or in-development that could be used for HIC.¶
[RFC8969] provides a framework that describes and discusses an architecture for service and network management automation that takes advantage of YANG modeling technologies. This is quite apt for HIC and includes interactions between multiple YANG models as described in [RFC8969].¶
[Editor's Note - the above list should be extended.]¶
The Network Configuration Protocol (NETCONF) [RFC6241] provides mechanisms to install, manipulate, and delete the configuration of network devices. The RESTCONF [RFC8040] describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in NETCONF.¶
Some other mechanism like gRPC/gNMI could also be used between controllers using the same YANG data models.¶
There are no IANA concerns in this document.¶
There are no new security concerns in this document.¶
Dailongfei (Larry) Huawei Technologies, Beijing, China Email: [email protected]¶